Platform
php
Component
tuleap
Fixed in
17.0.100
17.0.1
16.13.1
16.12.1
CVE-2025-64499 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in Tuleap, a free and open-source suite for software development and collaboration management. This vulnerability allows attackers to manipulate the planning management API, potentially leading to unauthorized creation, modification, or deletion of plans. The vulnerability impacts Tuleap Enterprise Edition versions prior to 16.13-7, as well as Community Edition versions before 17.0.99.1762456922. A fix is available in Tuleap Enterprise Edition versions 16.13.1, 16.12-10, and 17.0-2.
Successful exploitation of CVE-2025-64499 allows an attacker to execute arbitrary actions within the Tuleap environment through a victim's authenticated session. Specifically, they can create, edit, or delete plans, potentially disrupting workflows, introducing malicious configurations, or gaining unauthorized access to sensitive data related to software development and collaboration. The blast radius extends to any user with access to the planning management API, and a compromised plan could impact multiple projects and teams. While the vulnerability doesn't directly lead to system compromise, it can be a stepping stone for further attacks if combined with other vulnerabilities or misconfigurations.
CVE-2025-64499 is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a lower probability of immediate widespread exploitation. However, the ease of CSRF exploitation means that this vulnerability could be targeted by opportunistic attackers. The vulnerability was publicly disclosed on 2025-12-08.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-64499 is to upgrade Tuleap Enterprise Edition to version 16.13.1 or later, or to version 16.12-10 or 17.0-2. If an immediate upgrade is not feasible, consider implementing stricter input validation and output encoding on the planning management API to reduce the attack surface. Implementing CSRF protection mechanisms, such as synchronizer tokens or double-submit cookies, can also help mitigate the risk. Review and restrict access to the planning management API to only authorized users. After upgrading, confirm the fix by attempting to trigger a plan creation/modification request from a separate browser session without valid credentials; the request should be rejected.
Update Tuleap Community Edition to version 17.0.99.1762456922 or later. For Tuleap Enterprise Edition, update to version 17.0-2, 16.13-7, 16.12-10 or later, as appropriate for your current version. This will correct the (CSRF) vulnerability in the planning management API.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-64499 is a Cross-Site Request Forgery (CSRF) vulnerability in Tuleap Enterprise Edition versions prior to 16.13-7, allowing attackers to manipulate the planning management API.
You are affected if you are running Tuleap Enterprise Edition versions prior to 16.13-7, 16.12-10, or 17.0-2.
Upgrade to Tuleap Enterprise Edition version 16.13.1 or later, or to version 16.12-10 or 17.0-2. Consider implementing CSRF protection mechanisms as an interim measure.
While there are no widespread reports of active exploitation, the ease of CSRF exploitation means it could be targeted by opportunistic attackers.
Refer to the official Tuleap security advisories on their website for the most up-to-date information and guidance.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.